Oracle Database Vault - ORACLE APPLICATION DATABASE ...



Oracle?Database?VaultThis is a very powerful and easy to use security tool and can be easily deployed to enforcesecurity and also comply with audit requirements.In the first case study, a user with all database privileges (DBA) can still be 'locked out' andprevented from accessing certain tables in a particular schema.In the second case study, security is enforced by ensuring that any DELETE operations on aparticular table can only be possible if a user connects from a client machine having a particularIP address.Using the web UI, creating rule sets and security realms is very easy and this is a way of ensuringthat all different kinds of audit and security requirements are very easily and effectively met withminimum effort.CONFIGURE OEM:SQL> alter user sysman identified by sysman;User altered.SQL> alter user dbsnmp identified by dbsnmp;User altered.SQL> alter user sysman account unlock;User altered.SQL> alter user dbsnmp account unlock;User altered.SQL> ![oracle@database ~]$ netmgr (TO CREATE LISTENER & TNS BOTH)[oracle@database ~]$ lsnrctl start testLSNRCTL for Linux: Version 11.2.0.3.0 - Production on 13-APR-2016 11:34:33Copyright (c) 1991, 2011, Oracle. All rights reserved.Starting /u01/app/oracle/product/11.2.0/dbhome_1/bin/tnslsnr: please wait...TNSLSNR for Linux: Version 11.2.0.3.0 - ProductionSystem parameter file is /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.oraLog messages written to /u01/app/oracle/diag/tnslsnr/database/test/alert/log.xmlListening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=database.)(PORT=1521)))Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=database.)(PORT=1521)))STATUS of the LISTENER------------------------Alias testVersion TNSLSNR for Linux: Version 11.2.0.3.0 - ProductionStart Date 13-APR-2016 11:34:33Uptime 0 days 0 hr. 0 min. 0 secTrace Level offSecurity ON: Local OS AuthenticationSNMP OFFListener Parameter File /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/listener.oraListener Log File /u01/app/oracle/diag/tnslsnr/database/test/alert/log.xmlListening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=database.)(PORT=1521)))Services Summary...Service "TEST" has 1 instance(s). Instance "TEST", status UNKNOWN, has 1 handler(s) for this service...The command completed successfully[oracle@database ~]$ tnsping testTNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 13-APR-2016 11:34:39Copyright (c) 1997, 2011, Oracle. All rights reserved.Used parameter files:Used TNSNAMES adapter to resolve the aliasAttempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.82)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = TEST)))OK (0 msec)[oracle@database ~]$ emca -config dbcontrol db -repose createSTARTED EMCA at Apr 13, 2016 11:35:56 AMEM Configuration Assistant, Version 11.2.0.3.0 ProductionCopyright (c) 2003, 2011, Oracle. All rights reserved.Enter the following information:Database SID: TESTListener port number: 1521Listener ORACLE_HOME [ /u01/app/oracle/product/11.2.0/dbhome_1 ]: Password for SYS user: Password for DBSNMP user: Password for SYSMAN user: Email address for notifications (optional): Outgoing Mail (SMTP) server for notifications (optional): You have specified the following settingsDatabase ORACLE_HOME ................ /u01/app/oracle/product/11.2.0/dbhome_1Local hostname ................ database.Listener ORACLE_HOME ................ /u01/app/oracle/product/11.2.0/dbhome_1Listener port number ................ 1521Database SID ................ TESTEmail address for notifications ............... Outgoing Mail (SMTP) server for notifications ............... -----------------------------------------------------------------Do you wish to continue? [yes(Y)/no(N)]: YApr 13, 2016 11:36:18 AM oracle.sysman.emcp.EMConfig performINFO: This operation is being logged at /u01/app/oracle/cfgtoollogs/emca/TEST/emca_2016_04_13_11_35_56.log.Apr 13, 2016 11:36:22 AM oracle.sysman.emcp.EMReposConfig uploadConfigDataToRepositoryINFO: Uploading configuration data to EM repository (this may take a while) ...Apr 13, 2016 11:37:01 AM oracle.sysman.emcp.EMReposConfig invokeINFO: Uploaded configuration data successfullyApr 13, 2016 11:37:03 AM oracle.sysman.emcp.util.DBControlUtil secureDBConsoleINFO: Securing Database Control (this may take a while) ...Apr 13, 2016 11:38:18 AM oracle.sysman.emcp.util.DBControlUtil secureDBConsoleINFO: Database Control secured successfully.Apr 13, 2016 11:38:18 AM oracle.sysman.emcp.util.DBControlUtil startOMSINFO: Starting Database Control (this may take a while) ...Apr 13, 2016 11:38:56 AM oracle.sysman.emcp.EMDBPostConfig performConfigurationINFO: Database Control started successfullyApr 13, 2016 11:38:56 AM oracle.sysman.emcp.EMDBPostConfig performConfigurationINFO: >>>>>>>>>>> The Database Control URL is <<<<<<<<<<<Apr 13, 2016 11:38:58 AM oracle.sysman.emcp.EMDBPostConfig invokeWARNING: ************************ WARNING ************************Management Repository has been placed in secure mode wherein Enterprise Manager data will be encrypted. The encryption key has been placed in the file: /u01/app/oracle/product/11.2.0/dbhome_1/database._TEST/sysman/config/emkey.ora. Ensure this file is backed up as the encrypted data will become unusable if this file is lost. ***********************************************************Enterprise Manager configuration completed successfullyFINISHED EMCA at Apr 13, 2016 11:38:58 AMCONFIGURING DATABASE VAULT OPTIONS TO AN EXISTING ORACLE_HOME AND SETTING UP THE DATA VAULT OWNER IN THE DATABASE ‘DBVOWNER’[oracle@database ]$ dbcaPASSWORD=welcome#123 CHECK DATABASE VAULT ENABLE OR NOTSQL> select * from v$option where parameter ='Oracle Database Vault';PARAMETER ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?VALUE------------------------------- --------------------------------Oracle Database Vault ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?FALSECONFIGURE DATABASE VAULT1)Ensure that the computer on which you want to register Oracle Database Vault has the OracleEnterprise Manager Database Console available./emctl status dbconsole2)Stop the database, Database Control console process, and listener.SQL> SHUTDOWN IMMEDIATESQL> EXIT$ emctl stop dbconsole$ lsnrctl stop TESTFor Oracle RAC installations, shut down each database instance as follows:$ srvctl stop database -d db_name3)Enable Oracle Database Vault as follows?$ cd $ORACLE_HOME/rdbms/lib?$ make -f ins_rdbms.mk dv_on lbac_on ioracle4) Restart the database and listener. (Do not restart the Database Control console process yet.)sqlplus sys as sysoperEnter password: passwordSQL> STARTUPSQL> EXIT$ lsnrctl start TEST[oracle@database lib]$ emctl start dbconsoleto enable database vault make sure database , dbconsole and listener are shutdown:SQL> select * from v$option where parameter ='Oracle Database Vault';PARAMETER ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?VALUE----------------------------------------------------------------Oracle Database Vault ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?TRUEUser SYS has SELECT ANY TABLE privilege and can select all the rows of the SCOTT.EMP table.SQL> conn / as sysdbaConnected.SQL> select count(*) from scott.emp; COUNT(*)----------14 Table OWNED BY SCOTT TO THE SECURED REALM scottDEMO:-SQL> conn / as sysdbaConnected.SQL> select * from scott.emp;select * from scott.empSQL> alter user scott account lock;alter user scott account lock*ERROR at line 1:ORA-01031: insufficient privilegesSQL> alter user scott identified by scott;alter user scott identified by scott *ERROR at line 1:ORA-01031: insufficient privilegesALL TABLES OWNED BY SCOTT TO THE SECURED REALM SCOTT_FULLSQL> show userUSER is "SYS"SQL> select * from scott.dept;select * from scott.dept *ERROR at line 1:ORA-01031: insufficient privilegesSQL> select * from scott.emp;select * from scott.emp *ERROR at line 1:ORA-01031: insufficient privilegesCASE TWOIn the second case study we will set up security using Database Vault so that any DELETE operation on a certain table can ONLY BE PERFORMED IF YOU CONNECT FROM A CLIENT MACHINE WITH A PARTICULAR IP ADDRESS – this will prevent any unauthorized access to data stored in sensitive tables CREATE A NEW RULE SET DISABLE DATABASE VAULTStop oemStop databaseStop listener$ cd $ORACLE_HOME/rdbms/lib$ make -f ins_rdbms.mk dv_off lbac_off $ Cd $ORACLE_HOME/bin$ relink oracle ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download